Sometimes, it will appear that a field in OpenSearch Dashboards is not mapped. The mapping icon will show a question mark, indicating that the field is not mapped.
Whenever you see the message Field not indexed, this is simply an indication that the field is not indexed because nothing in your OpenSearch Dashboards account is dependent on it. It wasn’t required for any of your account’s alerts, filters, saved searches, visualizations, dashboards, or any other objects.
If a field is not indexed
If a field is not mapped in your logs, there are a few actions you won’t be able to perform on it:
- You can’t visualize it.
- You can’t filter on it. It simply won’t appear in the drop-down filter list.
About array fields
Arrays are not natively supported by the OpenSearch Dashboards interface. When an array is included in a log, the full array is displayed as a single field marked with the icon next to the field name.
In the example below, the array [“a”,”b”] = [{“a”:”1”}, {“b”:”2”}] becomes a single field.
Depending on the array, you may be able to seach for the string elements inside an array, as in the filter syntax example below.
In general, the more organized and consitent your log structure is (especially if the structure includes unique keys), the more accurate the result of transforming the data in the array will be. ### Add a field to OpenSearch Dashboards’ default mapping
You can always add a field to the list of required fields.
In OpenSearch Dashboards, on the left preview menu, identify the unmapped field. Click on the unmapped field to select it and click on the button Field not indexed.
The field will now be added to your default OpenSearch Dashboards mapping.